Re: AD and Expired Password Checking and how to test?

---

• From: "Joe Richards [MVP]" <humorexpress@xxxxxxxxxxx>
• Date: Sat, 02 Sep 2006 15:08:02 -0400

---

> The command line you suggested didn't work:

Doh, sorry my bad, I should have checked, pwdlastset isn't in the GC in the default schema and I assumed it was because my test forest had that changed. I need to spin up a raw do not touch the schema forest so I know what is and isn't in the default PAS set and indexed set. :)

> Here's what I got for 'maxpwdage':
> If I calculate correctly, the maxpwdage is 42 days, 22 hours, 47
> minutes, and 32 seconds.

That is an EXCEEDINGLY weird value. The policy system only allows for you to set whole day values which means that number should be a multiple of 864000000000. I would definitely correct that.

joe


--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm


ohaya wrote:

Joe,

The command line you suggested didn't work:

C:\tempdir>adfind -sc u:test2 pwdlastset -tdcs

AdFind V01.31.00cpp Joe Richards (joe@xxxxxxxxxxx) March 2006

Using server: ctstepdown.whatever.com:3268
Directory: Windows 2000

dn:CN=test2,CN=Users,DC=whatever,DC=com


1 Objects returned



So I tried:

C:\tempdir>adfind -b "cn=users,dc=whatever,dc=com" -f "(cn=test2)" pwdLastSet -tdcs

AdFind V01.31.00cpp Joe Richards (joe@xxxxxxxxxxx) March 2006

Using server: ctstepdown.whatever.com:389
Directory: Windows 2000

dn:CN=test2,CN=Users,DC=whatever,DC=com
>pwdLastSet: 2006/08/31-05:08:20 Eastern Daylight Time


Here's what I got for 'maxpwdage':

C:\tempdir>adfind -b "dc=whatever,dc=com" -f "(maxpwdage=*)" maxpwdage

AdFind V01.31.00cpp Joe Richards (joe@xxxxxxxxxxx) March 2006

Using server: ctstepdown.whatever.com:389
Directory: Windows 2000

dn:DC=whatever,DC=com
>maxPwdAge: -37108517437440

dn:CN=Builtin,DC=whatever,DC=com
>maxPwdAge: -37108517437440


2 Objects returned


If I calculate correctly, the maxpwdage is 42 days, 22 hours, 47 minutes, and 32 seconds.

So, the expiration date/time should be 10/13/06 @ 03:55:52.

Is that right?

So then, now I'm still puzzled why, when I set the system clock to (for example) 10/11/06, I get "Invalid credential" when I try to do a bind, using either a simple bind or SSPI bind.

I have not gone back further yet, e.g., 10/9/06, 10/8/06, etc. to try to see when exactly that "Invalid credential" starts occurring, but what else, other than fat-fingering the password, could be causing the bind to fail "ahead of" the expiration date?

Thanks,
Jim



Joe Richards [MVP] wrote:

Download my AdFind (http://www.joeware.net/win/free/tools/adfind.htm)

Then run the following command

adfind -sc u:username pwdlastset -tdcs

That will give you the exact time the password was set. Add the number of days for your expiration policy onto it and that is your exact expiration time. Note that it isn't just a day, it could be any time during the day.

AdFind isn't a script and deals with the 64 bit numbers natively and uses the Microsoft internal conversion routines so it will give you the exact time in the pwdLastSet (as well as any other int8 time attributes).


joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm


ohaya wrote:

Joe,

Actually, no, I'm not positive about the "real" expiration date/time. As I mentioned earlier, a number of VBs show 10/13/06, and at least one shows 10/11/06. But then again, I've tested after setting the system time to 10/10/06, and got the Invalid Credentials then too.

I guess that's really the point/question... how to find the "real" expiration date/time, since AD doesn't have it stored anywhere :(...

Jim



Joe Richards [MVP] wrote:

Are you positive on the date/time the account is supposed to be expiring. VBSCRIPT has issues dealing with 64 bit values and most of the scripts I have seen are *close* for the time but never actually correct.


--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm


ohaya wrote:

ohaya wrote:

Hi,

I have a sample VBScript program to check if a user's password has expired linked here:

http://www.rlmueller.net/User%20Password%20Info.htm

The program uses the value of the pwdLastSet attribute of the user and the maxPwdAge attribute of the domain. I have more info on handling Integer8 values like pwdLastSet and maxPwdAge linked here:

http://www.rlmueller.net/Integer8Attributes.htm

Richard,

I guess the thing that is really giving me a hard time is getting my code to detect that a password has expired when Windows thinks that it has expired.

I'll try to explain:

- I reset the password for a user, and the password expires on 10/13/06 @ ~03:55, according to various VBscripts that I tried (one said 10/11/06).

- I change the system date to 10/10/06, and try a bind, which fails. My program says that the password has not yet expired.

I guess that I've been assuming that bind failure is because Windows/AD thinks that the password has expired, but maybe there might be another reason why the binds would fail as I get "nearer" to the password expiration? FYI, when I ran an ldifde with a simple bind, the error I was getting was "INVALID CREDENTIALS".

I'm doing the bind using LDAP (i.e., using LDAP JDK). Is it possible that AD expires passwords for LDAP binds EARLIER than it expires something like an SSPI or Windows bind?

Jim

Hi,

I need to clarify what I said above: Actually, I am getting the "invalid credentials" prior to the password expirate date/time, even if I do an SSPI bind. Is there any way to find out why this might be happening?

Thanks,
Jim

.

---

• References:
  • Re: AD and Expired Password Checking and how to test?
    • From: ohaya
  • Re: AD and Expired Password Checking and how to test?
    • From: ohaya
  • Re: AD and Expired Password Checking and how to test?
    • From: Joe Richards [MVP]
  • Re: AD and Expired Password Checking and how to test?
    • From: ohaya
  • Re: AD and Expired Password Checking and how to test?
    • From: Joe Richards [MVP]
  • Re: AD and Expired Password Checking and how to test?
    • From: ohaya

• Prev by Date: Re: Bind Redirection in ADAM
• Next by Date: Re: AD and Expired Password Checking and how to test?
• Previous by thread: Re: AD and Expired Password Checking and how to test?
• Next by thread: Re: Active Directory - security boundaries
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: AD and Expired Password Checking and how to test? ... AdFind isn't a script and deals with the 64 bit numbers natively and uses the Microsoft internal conversion routines so it will give you the exact time in the pwdLastSet. ... Actually, no, I'm not positive about the "real" expiration date/time. ... I guess that I've been assuming that bind failure is because Windows/AD thinks that the password has expired, but maybe there might be another reason why the binds would fail as I get "nearer" to the password expiration? ... Is it possible that AD expires passwords for LDAP binds EARLIER than it expires something like an SSPI or Windows bind? ... (microsoft.public.windows.server.active_directory) Re: AD and Expired Password Checking and how to test? ... that's approximately 14 days after the pwdLastSet. ... So then, now I'm still puzzled why, when I set the system clock to 10/11/06, I get "Invalid credential" when I try to do a bind, using either a simple bind or SSPI bind. ... But then again, I've tested after setting the system time to 10/10/06, and got the Invalid Credentials then too. ... Is it possible that AD expires passwords for LDAP binds EARLIER than it expires something like an SSPI or Windows bind? ... (microsoft.public.windows.server.active_directory) Re: AD and Expired Password Checking and how to test? ... Directory: Windows 2000 ... Using server: ctstepdown.whatever.com:389 ... So then, now I'm still puzzled why, when I set the system clock to 10/11/06, I get "Invalid credential" when I try to do a bind, using either a simple bind or SSPI bind. ... adfind -sc u:username pwdlastset -tdcs ... (microsoft.public.windows.server.active_directory) Re: AD and Expired Password Checking and how to test? ... Account disabled ... Joe Richards Microsoft MVP Windows Server Directory Services ... I happened to have another user in AD that I had last done a password reset on 8/14/06, and I found that I could still bind today, so I was puzzled about why one user's password would expire after ~14 days, whereas the other didn't. ... I checked in ADUC, and I found that the one user that was able to bind had "Account Expires" of "never", whereas the one where I was getting ... (microsoft.public.windows.server.active_directory) Re: AD and Expired Password Checking and how to test? ... Actually, no, I'm not positive about the "real" expiration date/time. ... I guess the thing that is really giving me a hard time is getting my code to detect that a password has expired when Windows thinks that it has expired. ... I guess that I've been assuming that bind failure is because Windows/AD thinks that the password has expired, but maybe there might be another reason why the binds would fail as I get "nearer" to the password expiration? ... Is it possible that AD expires passwords for LDAP binds EARLIER than it expires something like an SSPI or Windows bind? ... (microsoft.public.windows.server.active_directory)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(15)